5 Steps to Configure Cisco AnyConnect VPN
As the world continues to work from home this year, I’ve had to configure Cisco AnyConnect VPNs on clients’ ASA firewalls multiple times. Unfortunately, the documentation from Cisco is very confusing, and I’ve seen a lot of organizations doing this wrong (I mean unsafely). The process itself is quite simple, so let’s go through the steps you’ll need to configure Cisco AnyConnect for your VPN.
1. Configure AAA Authentication
The first thing to configure is AAA authentication. I prefer to use RADIUS for authentication and authorization, but there are other options like LDAP. The configuration is similar:
! aaa-server MYRADIUS Protocol radius aaa-server MYRADIUS (INSIDE) host 10.10.1.1 key ****!
This config part indicates that I have a RADIUS server inside my network with IP address 10.10.1.1, which I am denoting “MYRADIUS” in the ASA configuration. It is accessed through the ASA interface called “INSIDE” in the interface configuration.
2. Define VPN protocols
When users connect to their VPN, they will need the IP address of the VPN session. This is the address that will appear within this user’s corporate network. It has nothing to do with the user’s public IP address or any address they might have within their home network. It is only used within the network after the remote user’s traffic has passed through the ASA.
! IP local pool ANYCONNECT_POOL1 10.99.1.1-10.99.1.254 mask 255.255.255.0 IP local pool ANYCONNECT_POOL2 10.99.2.1-10.99.2.254 mask 255.255.255.0!
I’ve selected two groups here because I plan to have multiple tunnel groups later.
3. Tunnel groups configuration
Next, I compose my tunnel groups. I will create two such groups for reasons that I will explain later.
! Tunnel set ANYCONN_1 Type remote access tunnel set ANYCONN_1 Global type of attributes Address set ANYCONNECT_POOL1 Server authentication set MYRADIUS default set NOACCESS policy set Tunnel set ANYCONN_1 Web themes vpn aliases set EMPLOYEES Enabled! Tunnel group ANYCONN_2 Type remote access tunnel group ANYCONN_2 Type global attribute address group ANYCONNECT_POOL2 Server authentication group MYRADIUS default group NOACCESS policy group ANYCONN_2 tunnel group Webvpn attribute group Allow set VENDORS!
This creates two sets of tunnels called ANYCONN_1 and ANYCONN_2. I set the first pool for the first tunnel group and the second pool for the second group.
Here I am using the “group-alias” command, which creates a dropdown box in the AnyConnect client on the user’s computer. Users will see that they can select employees or vendors as options. The configuration we create will allow people in the first group to connect only to the first tunnel group and users in the second group only to the second group.
Note that the “Authentication-server-group” command may be different in these two tunnel groups. So I can send my staff to one RADIUS server (maybe it’s one integrated with my LDAP, or equivalent, I use LDAP locally on the firewall) and the suppliers to another server.
4. Set group policies
Now we need group policies. In fact, we need three of them. We need a group policy for employees and a second policy for sellers. The third policy is for anyone who somehow passed the authentication but failed the authorization. That is, they have valid login credentials but are not authorized to use the VPN.
The main reason why this happens is that they simply chose the wrong profile. But it is also possible for me to have people who are not authorized to use the VPN at all, even though they have legitimate credentials. This may happen because the same authentication system is used for many things.
! Group Policy STAFF_VPN_GROUP Internal Group Policy STAFF_VPN_GROUP VPN Attributes-tunnel-Protocol ssl-client VPN-filter value STAFF_VPN_ACL! VENDOR_VPN_GROUP Group Policy Internal Group Policy VENDOR_VPN_GROUP vpn-tunnel-protocol attributes ssl-client vpn-filter value VENDOR_VPN_ACL! NOACCESS Group Policy Internal Group Policy NOACCESS attributes vpn-tunnel-protocol ssl-client vpn-concurrent-logins 0!
Where do these names come from? This is where things get a little confusing, so bear with me. The Group Policy names, STAFF_VPN_GROUP and VENDOR_VPN_GROUP, are values provided by the RADIUS server or LDAP server. The server must be configured so that, upon successful authentication, it returns these values in its IETF field of type 25, also called Class. It must be in a specific format: OU = STAFF_VPN_GROUP; (with semicolon).
Another important small part of the configuration that I want to mention is the “vpn-filter” command. This applies a special ACL (Access Control List) to those users and allows us to restrict what they can and can’t access. For example, if I wanted to allow a group of employees to access anything in the corporate network, but to restrict vendors to only accessing a specific subnet, I could do this:
! Access List STAFF_VPN_ACL Extend Permit IP Any VENDOR_VPN_ACL Access List Extend Permit IP Any 10.99.99.0 255.255.255.0!
5. Application configuration
Finally, we need to apply the configuration to the external interface of the firewall:
! webvpn enable anyconnect externally enable tunnel-group-list-list!
Logical flow authentication
Let’s review the logical flow in this configuration example.
First, the user opens their AnyConnect client. They connect to the hostname (or IP address) of the external ASA interface. Once connected, they get a login screen where they can choose employees or vendors from the dropdown list. They enter their user ID and login credentials. So far we’re only in the tunnel set section of the configuration.
The login credentials are then sent to the authentication server group configured for this tunnel group. If the authentication is successful, the RADIUS server will return a value, the RADIUS IETF-25 attribute (also called the class). This value includes the name of the group policy this user should be in.
At this point, we can have several different group policies for different groups of users, all connected using the same dropdown. We can set a different ACL for each of them to restrict what they can access depending on their group. This mechanism can define only one group policy. If you want the user to be in multiple groups, you’ll need to get creative with your tunnel groups.
In the tunnel group configuration, we have defined a global default group policy called NOACCESS. If the RADIUS server sends something that ASA doesn’t understand, or maybe nothing at all, the user will be assigned this group policy. For security reasons, we want to deny access in these cases. We do this by making the NOACCESS group policy allow 0 concurrent logins per user ID:
vpn- simultaneous recordings 0
For those users who have successfully gained access, we can apply the access control list using the “vpn-filter” command. This is the ACL applied to the firewall itself for connections to destinations. So we specifically put the allowed or denied addresses in the “destination” part of the ACL:
Extended Access List Permit IP ie 10.99.99.0 255.255.255.0 VENDOR_VPN_ACL
The biggest mistake I’ve seen with AnyConnect configs is setting the default group policy in the tunnel group to allow access. It should always deny by default.
Follow this simple workflow and you should have a straightforward and easily adaptable process to configure Cisco AnyConnect VPN.
Looking to learn more about VPNs? You may be interested in these related articles: